Aws IAM 组:在 Terraform 上设置对日志组的只读访问
[英]Aws IAM group: Setup readonly access on log group on Terraform
问题描述
Does someone know how to setup read-only access to specific log groups?
有人知道如何设置对特定日志组的只读访问吗?
resource "aws_iam_policy" "logs" {
name = "AWSLogs${title(var.product)}"
description = "Logging policy for ${title(var.product)}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:Get*",
"logs:List*",
"logs:Filter*"
],
"Resource": [
"arn:aws:logs:::log-group:${aws_cloudwatch_log_group.one.arn}:log-stream:*",
"arn:aws:logs:::log-group:${aws_cloudwatch_log_group.two.arn}:log-stream:*",
"arn:aws:logs:::log-group:${aws_cloudwatch_log_group.three.arn}:log-stream:*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_group_policy_attachment" "logs" {
group = "${aws_iam_group.logs.name}"
policy_arn = "${aws_iam_policy.logs.arn}"
}
resource "aws_iam_group" "logs" {
name = "${title(var.product)}Logs"
}
I'm currently struggeling to setup to only have access on specified log groups, but I can only get access to them when I set my resource to "*".我目前正在努力设置为只能访问指定的日志组,但我只能在将资源设置为“*”时才能访问它们。 This is not possible when I setup this dedicated to predefined log groups.当我将其设置为专用于预定义日志组时,这是不可能的。 Does someone have a good practice or solution?有人有好的做法或解决方案吗? When I try this solution above I only get当我尝试上面的这个解决方案时,我只得到
Not authorized to perform: logs:FilterLogEvents, when I try to access it via an user which is part of the IAM group "logs".
2 个解决方案
解决方案1
1 2018-09-18 05:25:03
aws_cloudwatch_log_group.one.arn already is the full ARN of the one log group, ie, aws_cloudwatch_log_group.one.arn已经是one日志组的完整ARN,即
arn:aws:logs:us-east-1:123456789012:log-group:one
So refer only to that in the Resources list: 因此,仅参考“ Resources列表中的内容:
resource "aws_iam_policy" "logs" {
name = "AWSLogs${title(var.product)}"
description = "Logging policy for ${title(var.product)}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:Get*",
"logs:List*",
"logs:Filter*"
],
"Resource": [
"${aws_cloudwatch_log_group.one.arn}:log-stream:*",
"${aws_cloudwatch_log_group.two.arn}:log-stream:*",
"${aws_cloudwatch_log_group.three.arn}:log-stream:*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": "*"
}
]
}
EOF
}
解决方案2
0 2022-12-22 21:48:16
I was able to kind of solve this by adding a Condition filtering by tags to the Statement and making sure that the log groups and streams are tagged correspondingly:我能够通过向语句添加按标签过滤条件并确保日志组和流被相应标记来解决这个问题:
"Condition": {
"StringEquals": {
"aws:ResourceTag/sometagname": "sometagvalue"
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.